This week in Las Vegas, Internet security professionals from across the country converged for Black Hat USA 2008. The many briefings and trainings that were offered covered a variety of safety issues, such as phishing, malware, data theft, threats to the 2008 Presidential Election, and the DNS flaw we wrote about last week (Dan Kaminsky was in attendance to detail that particular threat). Even current and former government cyber-security officials were in attendance to make presentations and learn the latest and greatest threats to online public safety.  

Part of the appeal of this conference (and its follow-up, the hacker conference DEFCON) is that the people who make a living protecting computers from malicious assault can indulge their less-than-heroic urges. In an effort to point out potential weaknesses in the current software and systems in use, the pros unveil their own codes and tricks that circumvent security and leave sensitive data vulnerable to attack.  Of course, the focus is on improved security to foil these attacks, but the real fun is in playing the bad guy (the “black hat”). This is why Black Hat declares itself positioned at the “intersection of network security and hacker ingenuity.”

Despite the creative efforts of security experts, one truth that routinely emerges from these conferences is that, no matter how good the mousetrap, someone will build a better mouse. This year’s Black Hat briefings indicate that the flaws and problems with our current systems are growing almost faster than security professionals can adapt to fix them. For example, web-based software (software that runs in a browser) has inherent weaknesses that are difficult to anticipate and correct, especially at the speed at which applications are being developed. 

Meanwhile, identity theft cases worth billions of dollars continue to come to light, usually with little response from those in the business. When the news broke during the conference that 11 people had been indicted for stealing 41 million credit and debit card numbers from a variety of retail systems (making it the largest hacking and identity theft case in history), the general consensus was not one of shock. Gathered professionals agreed that such crime will continue to persist, largely because it has been so successful and profitable for hackers. As one cyber crime expert for the Department of Defense told an AP reporter, “These guys were just persistent and lucky. And they got caught.” 

The reality is enough to make the average web merchant a little bit paranoid. Are our Internet security measures nothing more than Swiss cheese bricks just waiting for a clever hacker to slip through? Not necessarily. And the other important factor to keep in mind is that, as the need for security increases, the need to preserve privacy must also be considered. The Electronic Frontier Foundation (EFF) chose the Black Hat conference as the place to announce their new Coders’ Rights Project, which is an initiative designed to protect programmers and developers from legal threats that could interfere with their research. Above-board programmers shouldn’t have to worry that their latest, greatest development will lead to a lawsuit down the road; such a worry would have a serious chilling effect on technological advancement.

In the end, a persistent plea at Black Hat was one of collaboration. Working together, some claim, is the best way to thwart the hackers and protect our information. Rod Beckstrom, Director of the National Cyber Security Center in the U.S. Department of Homeland Security, gave a keynote address at Black Hat that walked participants back through history and drew parallels between historic events and the current situation with Internet security. While some of his analogies were elaborate, his message was simple: together, the developers and security professionals are more powerful than on their own. Whether that message will resonate remains to be seen. In the meantime, the best thing the average user or web merchant can do is be cognizant of what COULD happen, and vigilant in watching out for it.

Above all, resist the urge to turn to the “other side”… There may be lots of money to be had in stealing identities, but as Black Hat attendees prove, the efforts to reinforce the mousetrap are tireless and, in many cases, effective. There may never be complete and total security, but hackers don’t stand much of a chance when the guys working against them wear the black hat themselves on occasion.  

Sources for this article: NetworkWorld, Black Hat, PC World, Yahoo! News, InformationWeek